My colleague, Ray Shaw, has pointed out some of the many problems of the Australian Government’s new electronic snooping legislation, the Assistance and Access Bill. But there are a couple of likely results that few (if any) have noticed.
It seems that the Assistance and Access Bill is, as I write,
still before the House of Representatives, so we may yet be spared this
amateurish farce. Maybe. But if it comes, what are the implications?
The Assistance and Access Bill
Reports suggest that the Assistance and Access Bill will empower
the government to require computer and software vendors to have some way of finding
out the content of encrypted communications. There are two ways – in theory –
that this content could be found out:
The encryption could be broken.
Some kind of backdoor could be added to the
encryption system so that the encryption doesn’t need to be broken.
Virtually all encryption systems these days use public key
encryption. I started to write an explanation of how this works, often involving
the difficulty of determining the prime factors of large numbers, but that
stuff isn’t needed to see the problem.
The problem for the security services is that the communications
of potential malefactors are unbreakably secure. As powerful computers become
more powerful, and the ability to brute-force a way in increases, the
encryption system can be very easily enhanced to defeat the attack. Add one
digital bit to the length of the numbers involved, and you more than double the
complexity. Add another bit, and the time taken to break the encryption more
than doubles again.
In short, public key encryption systems are invincibly
secure. The government can issue all the warrants it wants. It might even be
able to force a tech company to assign a team to the task. But the team will
not be able to achieve anything, no matter how hard they try. Not every problem
in the world has a solution.
Yet governments try, accidentally crushing liberties along
the way. In this case, through the Assistance and Access Bill.
Here we get to what the government foolishly thinks is the real solution. That is, it apparently believes that it can require communications software companies to build some kind of backdoor of vulnerability into their software.
Let’s use, say, WhatsApp as our example. WhatsApp promised
totally secure communications using end-to-end encryption. If we believe its
claims, and no-one has ever seriously disputed them, your WhatsApp message to
me may be intercepted by someone along the way, but it can never be read by
It seems that what the Australian government wants is for
WhatsApp, and all the others, to build in some kind of backdoor to its
encryption system. Say, a special duplicate key that can also unlock the
contents, should it be served with a warrant.
Now most of the commentary I see about this worries,
strangely, about how that might make the system less secure to other, nefarious
third parties. Well, sorry, no it wouldn’t. Assuming, that is, WhatsApp could
maintain security of the backdoor key, your communications would remain as
secure as ever. At least until the government felt suspicious enough about you
to get a warrant to break into your communications.
What will happen?
The problem is something completely different.
Let’s say that you are WhatsApp. Let’s say that the
government does pass the Assistance and Access Bill. So, the Australian
government comes to you next year some time and says: “We insist that you build
a backdoor into your app so that when we get a warrant, we can read bad
people’s WhatApp messages.”
What do you do?
Well, you could comply. But your entire business depends on
everyone believing that WhatsApp messages are utterly secure. So, could you
comply but kind of keep the backdoor secret?
Well, no, you couldn’t. There is such a thing as consumer
law. The new Australian legislation seems to have stuff in it which protects
you from Australian consumer law in these circumstances. But it won’t protect
you from US law. You know, the law of the country where your headquarters is
located. The law of the country which has 300+ million potential customers,
rather than Australia’s 25-ish million. So, you’d have to declare that your
software is no longer invincibly secure, but subject to warrants from the
Naturally you’d have a public relations nightmare. How many
journalists, or even computer technical writers, understand public key
encryption? How many understand nondeterministic polynomial time complexity?
(That’s so-called NP complexity.) How many even know what integer factorisation
No, the message would be simple: WhatsApp was once utterly
secure. And now it isn’t any more.
So, you’re WhatsApp. What do you do?
You say to the Australian Government: “Sorry, that would
destroy our business. We will henceforth withdraw from your market.”.
Australians would find that their WhatsApp apps would no longer work. WhatsApp
would be geoblocked in Australia in the App and Play Stores.
If you used a VPN to get around the geoblocking, WhatsApp
wouldn’t mind. It would only be interested in its executives not being sent to
jail, should they happen to go to Surfer’s Paradise for a holiday.
The terrorists? If they
get worried about WhatsApp, they’ll use something else (that is equally not
within Australian jurisdiction).
So, to the extent that this legislation requires backdoors
to otherwise secure communications systems, it will achieve nothing. Except
making it harder for law abiding Australians to enjoy secure communications.
And VPNs. Remember, the good VPNs use similar encryption technologies. So, they
also will have to retire from the Australian market, at least officially.
But there will always be ways. There always are. Australians
who want secure communications will find some way of getting WhatsApp or a VPN
The next step then? Criminalisation of acquisition or use by
Australians of a communications channel which cannot be spied upon by the
Why not stop this silliness right now, before
the passage of the Assistance and Access Bill.